How do I include the search results in the scheduled search email?

Follow

Joe Zulli

• February 06, 2014 02:10

I have a scheduled search that looks for errors in the logs every hour and emails them to me if it finds any. A couple of months ago, when it found an error, the offending log message was included in the body of the email, which was extremely useful. Now, while I still get the email, it forces me to log in to see what actually went wrong. I doubt that it's something i changed on my end.... though I guess you never know for sure. Can this be changed back to the way it was? 

Joe

0

• 

  Kumar Saurabh

  • February 06, 2014 02:42

  hi Joe, 

  Can you share the query that you are using - I am wondering if it is a simple search expression, or if you are doing some kind of aggregation in the query. 

  thanks!

  kumar

  0

  Comment actions Permalink
• 

  Joe Zulli

  • February 06, 2014 18:18

  Hi Kumar,

  Yes, I am definitely doing an aggregation. It worked before though.... I suppose I don't need it, though it is nice for when I run the query by hand. Do I need to take it out? Here's the exact query:

  (((_source=application AND exception OR "[ERROR]") AND !"from android") AND !"from ios") AND !_sourceCategory=Grocery/CloudFront AND !_sourceCategory=Grocery/Chef | timeslice by 30m | count by _timeslice

   

   

  0

  Comment actions Permalink
• 

  Bradley Peterson

  • February 06, 2014 18:28

  I can confirm this.  Before Jan 8 my search alerts had a "Most recent results" section, but after the 8th it's missing.  They are aggregated searches.

  0

  Comment actions Permalink
• 

  Kumar Saurabh

  • February 06, 2014 19:42

  Yeah, if you can try this without the aggregation operators in the scheduled search - that would do the trick. you can save the search with aggregate query so that its available if/when you need it..

   

  best,

  kumar

  0

  Comment actions Permalink

Please sign in to leave a comment.